(19) 



J 



Europaisches Patentamt 
European Patent Office 
Office europeen de9 brevets 



(12) 



(11) EP 0 778 512 A2 

EUROPEAN PATENT APPLICATION 



(43) Date of publication: 

11.06.1997 Bulletin 1997/24 

(21) Application number: 96308246.6 

(22) Date of filing: 14.11.1996 



(51) Int CI G06F 1/00 



(84) 


Designated Contracting States: 


(72) 


Inventor: Rose, John R. 




DE FR GB IT NL 




San Jose, California 94120 (US) 


(30) 


Priority. 08.12.1995 US 569804 


(74) 


Representative: 








Cross, Rupert Edward Blount et al 


(71) 


Applicant: SUN MICROSYSTEMS, INC. 




BOULT WADE TEN N ANT 




Mountain View, California 94043-1100 (US) 




27 Furnival Street 








London EC4A1PQ (GB) 



(54) System and method for managing try-and-buy usage of application programs 



(57) A system and method for managing the distri- 
bution of licensed application programs stored on a 
server over a distributed computer system maintains 
control over the program even after the program has 
been distributed to a client computer from a provider on 
an information server. Protection may include license 
expiration date verification, authorized user ID verifica- 
tion, and protection against decompilation and reverse 
engineering by maintaining the program in an encrypted 
form until verification of the expiration date and user 
identity are complete and the program is ready for de- 
coding, loading into the client computer CPU, and exe- 
cution. A user identifies a program for trial use by any 
conventional means such as by using a network brows- 



er on the World Wide Web. The server recognizes a user 
request to access the application program. The server 
may have an agent on the client computer for performing 
certain predetermined administrative tasks. This agent 
may take the form of an application builder program 
module, provided by the trial application provider, which 
is resident on the client computer. The server (including 
the agent) determines whether program access condi- 
tions are satisfied, and if satisfied transmits a version of 
the program to the client. The transmitted file includes 
an encrypted portion. The server and agent also verify 
that the user is currently entitled to execute the applica- 
tion program including that the trial license has not ex- 
pired at the time the user initiates execution, and gen- 
erates an executable version of the application program. 
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Description 

The present invention relates to systems and meth- 
ods for managing the distribution of licensed application 
programs and application program components, includ- 
ing the distribution of trial versions of applications and 
components that automatically expire after the expira- 
tion of predefined trial usage privileges. 

BACKGROUND OF THE INVENTION 

For the purposes of this document, the term "appli- 
cation program" is defined to include applets and other 
application program components. A component is an in- 
complete program fragment. Users can integrate appli- 
cation program components into a new application us- 
ing an appropriate tool, such as the Application Builder 
of the present invention, discussed below. 

A number of different try and buy" systems for dis- 
tributing application programs and other types of com- 
puter software have been used in prior art systems. The 
most common mechanisms for limiting the rights of the 
users of the trial versions of application programs are 
"time bombs," which disable the program after the expi- 
ration of a certain date, "usage metering" schemes 
which attempt to meter the number of hours of usage of 
the program and disable it after usage reaches a prede- 
fined limit, and various "capability limitation" schemes 
in which the capabilities of the trial version of the appli- 
cation are so limited that end users are motivated to li- 
cense the standard version of the program. 

While software security systems in the past have 
attempted to prevent program copying using a number 
of copy protection schemes, including requiring end us- 
ers to know a password or to possess a physical token 
that enables use of the program, such copy protection 
systems have generally not been used in existing try and 
buy software dissemination systems. The problem is 
particularly acute when the program is distributed over 
a distributed computer system, because the program file 
sent to a user over a wire or other communication chan- 
nel is inherently copyable. 

It is a goal of the try and buy" system and method 
of embodiments of the present invention to prevent us- 
ers from disseminating executable copies of applicaticn 
programs to other end users, because those other end 
users have not necessarily agreed to the licensing terms 
of the program's owner. 

Another goal of the embodiments is to give the own- 
ers of application programs reliable information about 
the parties who have requested trial use of those pro- 
grams. 

Another goal of the embodiments is to make acqui- 
sition of limited use rights (e.g., the right to use a trial 
version of a program) as automatic as possible so as to 
make the use of trial versions of programs as easy as 
possible. 

Another goal of the system and method of embod- 



iment of the present invention is to limit generation of an 
intelligible version of a file including an application pro- 
gram to a user only when the user is currently entitled 
to access the file. 

5 A further goal of the embodiment is provide a sys- 
tem and method for limiting the period of time and stor- 
age location during which an intelligible version of a file 
is available to a user. 

Another goal of the system and method of embod- 

to iment of the present invention is to limit generation of an 
executable version of an application program to a user 
only when the user is entitled to execute the application 
program at the time execution is attempted by the user 



In summary, the present invention provides a sys- 
tem and method for managing the distribution of li- 
censed files including application programs over a dis- 
tributed computer system that maintains control over the 
files even after the file has been distributed from a pro- 
gram provider on a server to an end user on a client 
computer. Protection includes license expiration date 
verification, authorized user verification (with or without 
a termination date grace period) protection, and protec- 
tion against decompilation and reverse engineering by 
maintaining the application program file in an encrypted 
form until verification is complete and the program is 
ready for decoding and execution. 

The inventive method and system for managing us- 
age of an application program initially stored on a server 
coupled to a distributed computer system by a user in- 
cludes recognizing a user request to access an applica- 
tion program, determining whether predetermined ac- 
cess conditions are satisfied, transmitting a version of 
the application program to the computer associated with 
the user making the request for receipt and storage only 
when the access conditions have been satisfied, further 
verifying prior to program execution that the user is cur- 
rently entitled to execute that received application pro- 
gram, and generating an executable version of the ap- 
plication program from the transmitted version only if the 
verification is affirmative. 



Examples of the invention will now be described in 
conjunction with the drawings, in which: 

Fig. 1 is a block diagram of an embodiment of a dis- 
tributed computer system embodying the present inven- 
tion. 

Fig. 2 is a schematic representation of an exempla- 
ry Web site page used to disseminate trial versions of 
programs that are available for licensing. 

Fig. 3 is a block diagram of an exemplary header 
record of the stored version of the Application Program 
on a server in a preferred embodiment of the invention. 

Fig. 4 is a block diagram of an exemplary header 
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record of the transmission format of the trial version of 
an application program shown in Fig. 3 in a preferred 
embodiment of the invention. 

Fig. 5 is a block diagram of an alternate form of an 
exemplary header record of the transmission format of 5 
the trial version of an application program shown in Fig. 
4 in another preferred embodiment of the invention. 

Fig. 6 is a block diagram of an exemplary header 
record of the execution format of the trial version of an 
application shown in Fig. 4 in a preferred embodiment 
of the invention. 

Fig. 7 is a schematic representation of a menu pre- 
sented by the Application Builder for executing trial ver- 
sions of Application Programs. 

Fig. 8 is a flow chart of an embodiment of the trial 
application program execution method of the present in- 
vention. 

Fig. 9 is a flow chart of an alternative embodiment 
of the trial application program execution method of the 
present invention. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

Referring to Fig. 1 , there is shown a distributed com- 
puter system 100 having many client computers 102 
and at least one information server computer 104. In the 
preferred embodiment, each client computer 102 is con- 
nected to the information server 104 via network inter- 
connectivity means such as the Internet 106, although 
other types of communication connections could be 
used. While most client computers are desktop comput- 
ers, such as Sun workstations, IBM compatible comput- 
ers and Macintosh computers, virtually any type of com- 
puter can be a client computer. One or more users (not 
shown) are associated with each client computer 102. 

In the preferred embodiment, each client computer 
includes a CPU 107, a user interface 108, primary mem- 
ory 118 (such as fast random access memory), user 
communication interface 119 for communicating with 
the information server computer 104 via communication 
network 106, and additional memory 109 for storing an 
operating system 110, a World Wide Web browser pro- 
gram 1 1 1 , an Application Builder program 112, and one 
or more Application Programs 117. The Application 
Builder program 11 2 and Application Programs 117 con- 
tain features provided specifically by the present inven- 
tion. Optionally included among these features is a client 
Licensee ID 103 imbedded in the Application Builder 
1 1 2 and used for access verification as described in de- 
tail below. The Application Builder 112 also preferably 
includes a pair of public and private keys 113 that are 
unique to the client computer, a program decoder mod- 
ule 114, a license handling module 115, and a program 
execution module 116. 

The information server 104 includes a central 
processing unit (CPU) 120, primary memory 122 (i.e., 
fast random access memory) and secondary memory 
124 (typically disk storage), a user interface 126, and a 



communications interface 128 for communication with 
the client computers 102 via the communications net- 
work 106. 

For the purposes of the present discussion, it will 
be assumed that the information server's secondary 
memory 124 stores: an operating system 130, a World 
Wide Web server application and a corresponding set 
of Web pages 1 32, a trial licensing application program 
134 for handling the licensing of Application Programs 
to end users associated with client computers 102, a 
copy of the aforementioned Application Builder 136 for 
transmission and licensing to end users, a pair of public 
and private encryption keys 1 37 for the server, and cop- 
ies of the trial versions of various Application Programs 
138, 140, 142 for transmission and licensing to end us- 
ers. 

It is also assumed for the purposes of the present 
discussion that the information server 104 is a World 
Wide Web Server, but other information servers may al- 
ternatively be employed. The Web Server application 
1 32 controls the server's responses to requests by client 
computers 102 to retrieve files using standard World 
Wide Web (WWW) protocols. The Web Server Applica- 
tion works with a set of Web source files, which are the 
documents and other files or objects that client comput- 
ers 102 receive in response to properly formed re- 
quests. The present embodiment does not modify the 
Web Server application 1 32. Thus, operation of the Web 
Server site insofar as client computers 102 are con- 
cerned remains unchanged by the present embodiment. 

Referring to Fig. 2 there is shown a schematic rep- 
resentation of an exemplary home page 1 60 of the Web 
site (information server) 1 04, accessible by a user using 
client computer 102. The home page 160 includes a 
general information section 163 having menu selection 
buttons for obtaining information about the Try & Buy 
Program 165, Licensing Terms and Conditions 166, in- 
formation about the Application Builder 167, and infor- 
mation about one or more Application Programs 168. 
For example, each Application Program may be de- 
scribed in terms of its functionality, storage require- 
ments, minimum processor requirements for execution, 
monetary costs for permanent versions of the applica- 
tion program, and the like. Licensing terms and condi- 
tions may be Application Program specific, and further 
may contain provisions for specific Licensees or classes 
of Licensees. 

The home page 160 of the Web site (information 
server) 1 04 also includes a Trial Version Program Down- 
load Selection Section 164 having a submenu 169 that 
includes selection buttons for each of several Applica- 
tion Programs as well as a button 1 70 for selecting the 
Application Builder. To download a Trial Version of any 
of the listed programs, the user merely selects one or 
more programs of interest from the menu in section 164. 

Alternately, the Web page may contain specialized 
HTML annotations, such as Java language applets that 
make contact with the user's Application Builder and 
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cause it display remotely available applications as if they 
were on a similar organizational footing with locally 
available applications. 

The Application Program file is stored in one or 
more of several different formats depending on where s 
in the distributed computer system 100 the file exists or 
is stored. There are four storage formats of particular 
interest: 

• the Server Format, which is the format of the Appli- 
cation Program in Secondary Memory 124 of Infor- 
mation Server 104 prior to selection by a particular 
user; 

• the Transmission Format, which is the format of the 
Application Program in storage in Secondary Mem- 
ory 1 24 of Information Server 1 04 after selection by 
user for downloading to client computer 102, and 
during transmission to the user; 

• the Client Storage Format, which is the format of 
the Application Program in storage in memory 109 
of the client computer 102 after the downloading is 
complete but prior to verification and execution (de- 
scribed hereinafter); and 

• the Execution Format, which is the format of the Ap- 
plication Program in temporary storage in RAM 118 
and/or CPU 1 07 during execution of the Application 
Program. 

The differences in the formats relate generally to ex- 
istence and content of ancillary file information associ- 
ated with the Application Program and the user (where 
applicable) such as information contained in header 
records, and with the encrypted or decoded condition of 
the executable program and other fields. Each of these 
formats is described in greater detail below with respect 
to Figs. 3-6. 

For the purposes of this document, the terms "de- 
code" and "decrypt" shall be used synonymously to refer 
to the process of reversing the encryption of a set of 
information. Similarly, the adjectives "decoded" and "de- 
crypted" shall be used synonymously to refer to a set of 
unencrypted information that was generated from a cor- 
responding set of encrypted information. 

In reference to Fig. 3, a schematic illustration of the 
Server Format 180 of an Application Program trial ver- 
sion 1 38 is shown. The Server Format includes the non- 
encrypted application program 181 , and may optionally 
include information fields for Application I D 1 83, License 
Termination Date 185, and Licensee ID 184. These files 
are optional because prior to selection by a particular 
user, the file is generic for all potential users and no such 
information (except the Application ID) is applicable to 
the application program file. The particularized server 
format includes each of the Application ID 183, License 
Termination Date 185, and Licensee ID 184 fields and 
may either be created and stored as an actual file on the 
server or may exist only transiently as the generic server 
format is particularized to the requesting user and en- 



crypted to generate the transmission format prior to 
transmission to the client computer. Note that the server 
formatted version of the application program could be 
stored in an encrypted form, but decryption followed by 
encryption would be required to encrypt the application 
program with the public key associated with the client 
computer Application Builder 112. 

The Server Format of an application program in the 
preferred embodiment also includes a copy of the serv- 
er's public key 187 (to be used by client computers), 
documentation 188 for the application program, as well 
as text 189 representing the trial licensing terms for the 
application program and relicensing terms. 

Once the user has selected an Application Program 
for trial use the user is associated with a I icensed version 
of the Application Builder. This Application Builder li- 
cense may be preexisting or may have been allocated 
to the user in conjunction with selection and download- 
ing of the trial version of an Application Program. In ei- 
ther situation, the Application Builder is licenced to the 
user and a licensee identifier is associated with that us- 
er. Server 104 includes an Encryption Module 135 that 
encrypts the Application Program stored in Server For- 
mat 180 based on a public key 1 1 3 associated with the 
user to generate a transmission format of the same Ap- 
plication Program. 

In reference to Fig. 4, a schematic illustration of the 
Transmission Format 186 of an Application Program tri- 
al version 138 is shown. The transmission format in- 
cludes an encrypted version of the Application Program 
executable code 181 , an Application Program ID 183, a 
proper licensee ID for the particular user 184, a license 
termination date 1 85, as well as copies of the public key, 
documentation and license informational fields 187, 
188, 189. in the preferred embodiment all fields of the 
Transmission Format 186 are encrypted with the user's 
Application Builder public key 11 3 to prevent eavesdrop- 
ping and unauthorized copying or modification of the ap- 
plication program and/or control information. 

Furthermore, in the preferred embodiment the con- 
trol information (i.e., header fields 183-185) is first en- 
crypted with the server's private key prior to encryption 
of the entire file 186 with the user's Application Builder 
public key. In this way double encryption is used to pro- 
tect the control information. More generally, it is desira- 
ble that none of the Application Program itself, and none 
of the header fields 183, 184, 185, appear as clear text 
during transmission from server 1 04 to client computer 
102 over the network 106. 

While the term "header" fields or information has 
been applied to the identification information fields in 
this description, and such information fields are shown 
for simplicity as a plurality of contiguous records in the 
file (e.g. Figs 3, 4, and 6), it should be understood that 
the identification information may be placed in any pre- 
determined location in the application program file so 
long as the Application Builder 1 1 2 can locate and inter- 
pret the information during the verification and decoding 
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procedures prior to execution of the application pro- 
gram. For example, Fig. 5 is a block diagram showing 
a version of the transmission format in which the license 
ID 184, and License Termination Date 185 are located 
within the body of Application Program 1, which is split 
into parts A, B, and C. Such intermingling of the identi- 
fication and security information with in g the body of the 
Application Program is generally applicable to all of the 
formats described. Placement of the identification infor- 
mation within the application program itself enhances 
security by making it extremely difficult for even an au- 
thorized user of the application to locate and alter the 
identification information, including the licensee ID and 
the license termination date. 

The Client Storage Format of an application pro- 
gram trial version, while not shown in a separate figure, 
is the same as the Transmission Format 186, with a de- 
crypted copy of the control information (header fields 
183-185) "pre-pended" at the front of the file. The de- 
crypted control information is not "trusted" by the Appli- 
cation Builder because it is subject to manipulation by 
the user, but is rather compared with the encrypted con- 
trol information at execution time. In an alternate em- 
bodiment, the Client Storage Format is the same as the 
Transmission Format, and the control information is not 
stored in clear text form. 

In reference to Fig. 6, a schematic illustration of the 
Execution Format 196 of an Application Program trial 
version 138 is shown. The Execution Format 196 in- 
cludes a decrypted and decoded version of the Applica- 
tion Program. It need not necessarily include application 
identifier 183, licensee identifier 184, or licensee termi- 
nation date 185. Although such information may be car- 
ried along in the file, it does not represent executable 
code and serves no further security purpose after veri- 
fication and decoding. 

In the preferred embodiment the executable code 
is only available transiently during execution of the Ap- 
plication Program in RAM 118 or CPU 107 of the client 
computer. It is not stored in decrypted or decoded form 
on any mass storage device in a human readable form. 
The Execution Format of the Application Program is es- 
sentially a decrypted version of the transmission version 
that is generated by the Application Builder 112 on the 
client computer 102 after the Application Builder has 
verified the validity of the license for the particular user 
and has decoded the Application Program so that it is 
in the proper format for execution by the client computer 
102. 

Referring to Fig. 7, after one or more trial Applica- 
tion Programs have been downloaded to and stored on 
client computer 102, a user associated with that client 
computer may decide to execute one of the Application 
Programs. In one embodiment of the invention, the user 
will be presented with a menu 192 on a display screen 
of user interface 108, including a list 193 of available 
application programs. The user may then select an Ap- 
plication Program, for example Application2. The client 



computer will respond to this selection by displaying the 
Expiration Date of the Selected Application 194, and 
may present other information pertaining to execution 
of the selected application. It may for example provide 
5 a description of input/output data types, file formats, re- 
lated programs, and the like to assist the user in using 
the program. This information is found in the documen- 
tation field 188 of the stored application program. Addi- 
tional menus for viewing other information, such as li- 
cense terms and relicensing information (from field 189) 
may also be provided. These displays may be integrated 
by the Application Builder with similar displays for locally 
stored, fully licensed programs. 

Referring to Fig. 8, an embodiment of the method 
300 of the present invention for managing use of an Ap- 
plication Program by a user on a distributed computer 
system 100 is shown. The Application Program is initial- 
ly stored as a Server Format version 180 of the Appli- 
cation Program on server 104. Execution starts at Step 
302 in response to a user's request for a trial version of 
an Application Program. At step 304 the server 104 
monitors requests for information and program access 
from the client computer connected to the server com- 
puter. Application Builder 112 may act as an agent for 
the server by initiating communication with the server in 
response to a request by client computer 102. At step 
306 server 104 recognizes a request from a user asso- 
ciated with one of the client computers 102 to access 
the trial version of an Application Program. 

Upon selecting an application program (or the Ap- 
plication Builder) for downloading, user will optionally be 
presented with a reminder that the requested program 
is made available to the user for trial use only under con- 
ditions of the license agreement. The terms of the li- 
cense agreement are then displayed for the user's re- 
view on the display screen, and the user is prompted by 
the server (possibly through the Application Builder 112 
acting as an agent for the sewer) to accept the license 
terms. In one embodiment of the invention, the accept- 
ance of the license is preferably made explicitly by an 
affirmative action by the user before the selected appli- 
cation program will be downloaded. For example, the 
user may be requested to input a identifying name, or 
to retype a verification code such as the user's licensee 
ID for example, presented by the server for transmission 
to the server. Alternatively, the acceptance may be more 
passive, such that unless the user declines to accept 
the license terms, the license is accepted and file down- 
loading commences. 

At step 308, the server compares predetermined 
program access restrictions for the Application Program 
with client computer access privileges and determines 
whether predetermined access conditions are satisfied 
by the requesting client computer. At step 310, the serv- 
er determines whether the client privileges satisfy Ap- 
plication Program access requirements. The access re- 
quirements in the preferred embodiment are (A) owner- 
ship of a valid license for the Application Builder by the 
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user or associated client computer, (B) receipt of the us- 
er's Application Builder public encryption key from the 
user's Application Builder, and (C) explicit user accept- 
ance of the licensing terms for the trial version of the 
selected Application Program. The information from the 
user will typically identify the user and the type of com- 
puter platform being used. This information about the 
user can be automatically provided to the owners of the 
requested application program, thereby providing the 
owners with reliable information about the parties who 
have requested trial use of those programs. 

At Step 312, if the access conditions are not satis- 
fied then access to the trial version of the user selected 
Application Program are denied (at least temporarily un- 
til access restrictions are satisfied). However, if the ac- 
cess conditions are satisfied (Step 314) then server 104 
generates a Transmission Version of the user selected 
Application Program from the Server Format version on 
the server, and then transmits the Transmission Format 
version of the requested Application Program to the cli- 
ent computer. The Transmission Format version of the 
Application Program is preferably generated for a par- 
ticular user and contains user identification information 
including a licensee identification code or number 184 
as described earlier with respect to Fig. 3. Furthermore, 
all or a significant portion of the Application Program 
code is encrypted in the Transmission Format version 
of the Application Program. In the preferred embodi- 
ment, the Application Program is encrypted using RSA 
encryption programs with the user's public key being 
used as the encryption key. As understood by those 
skilled in the art, the encrypted Application Program can 
be decoded by corresponding RSA decoding programs 
with the user's private key. 

The transmission formatted version is received by 
the client computer and is preferably stored in memory 
109 in the client storage format for later execution and 
use. 

The Application Program now resides on the client 
computer While the user may choose to immediately 
execute the program, the user could also desire to use 
the program for the first time or additional times at a fu- 
ture date. It is therefore important to provide a mecha- 
nism for verifying that the client computer is still entitled 
to use the Application Program at the current or ambient 
date. 

In Step 31 6 the Application Builder 112 acting as an 
agent for the server 104 (independent of connection be- 
tween the server 1 04 and the client computer 1 02 at that 
time) verifies prior to execution of the program that the 
client computer is currently entitled to execute the Ap- 
plication Program. To perform this "control information" 
verification, the stored, doubly encrypted control infor- 
mation is decrypted using the Application Builder's pri- 
vate key 1 1 3 and the server's public key 1 87 (and is op- 
tionally compared with the clear text version of the con- 
trol information). Using the decrypted control informa- 
tion, the Application Builder compares the licensee ID 



184 in the Application Program with the licensee ID or 
IDs associated with the Application Builder, and com- 
pares the license termination date 1 85 in the Application 
Program with the current date. Only when the status of 
s the user is verified does the Application Builder 1 1 2 de- 
crypt the encrypted Application Program so as to pre- 
pare it for execution. The decrypted Application Pro- 
gram is preferably never stored in non-volatile memory 
of the client computer, and only exists in decrypted form 
during actual program execution. 

It is recognized that the protection afforded by com- 
paring a license expiration date encoded in the Applica- 
tion Program with the ambient computer date may in 
some instances be circumvented by altering the client 
computer ambient date; however, such alteration typi- 
cally introduces sufficient other problems into system 
operation and file management in the user's computer 
that users are not inclined to use such measures. Se- 
curity measures may further include other date checking 
procedures, such as checking file creation dates for oth- 
er files on the client's computer to determine if the actual 
date exceeds the ambient date set for the client compu- 
ter, and the like. 

in reference to Fig. 9, a more detailed description 
of a preferred embodiment of the method of the present 
invention is now provided. The user installs an Applica- 
tion Builder 112 on the client computer 102 computer 
(Step 402). The Application Builder 112 is a program 
module provided by a software vendor (such as Sun Mi- 
crosystems, Inc.) or in conjunction with the Application 
Programs made available by the provider on the server 
over the distributed computer system. The Application 
Builder acts as a local agent for the Application Program 
provider by performing various security check functions 
and program decryption functions. Application Builder 
112 builds an encryption key (Step 404) after installation 
on client computer. In the preferred embodiment an RSA 
private/public key pair is generated; however, other 
types of encryption keys may be implemented. 

The user identifies an Application Program that he 
or she is interested in trying out under the try-and-buy 
usage scheme (Step 406), such as for example by using 
a Web browser or the like. An exemplary Web page that 
would be accessed using such a Web browser is illus- 
trated in Fig. 2 and was described above. The user lo- 
cates a program that he wants to try out such as by 
mouse clicking on the Application Program name in the 
palette of submenu 169. The user may also request gen- 
eral information prior to selecting an Application Pro- 
gram, or Application Builder for downloading pertaining 
to the try & buy program by selecting menu item 165, 
on the Application Programs available by selecting one 
of menu items 168, on the applicable licensing terms 
and conditions by selecting menu item 166, or general 
information on the Application Builder by selecting menu 
item 167. 

Identification of an Application Program for trial use 
initiates a procedure to request a trial license from the 
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try-and-buy server 104 of the distributed computer sys- 
tem (Step 408). In the preferred embodiment, the Appli- 
cation Builder 1 1 2 acts as the user's agent in requesting 
the trial license for the selected try-and-buy Application 
Program and as the server's agent in providing the trial 5 
application and license. This activates the Trial License 
Application Program Module (TLAPM) 1 34 in the server 
(Step 41 0), which confirms that the client computer has 
either a valid licensed copy or valid trial copy of the Ap- 
plication Builder (Step 412). io 

If the client computer 1 02 associated with user does 
not have a validly licensed or trial copy of the Application 
Builder, the client is prompted to review the licensing 
terms and to agree to the terms presented before a trial 
copy of the Application Builder is generated and provid- is 
ed to the user (Step 414). Acceptance of the license 
terms by the user may be implicit in making the request 
for trial license, or in a preferred embodiment the user 
will be prompted to explicitly agree to the license terms 
before the Application Program (and/or Application 20 
Builder) is transmitted to the client computer, for exam- 
ple by making an affirmative response to an acceptance 
inquiry after the license terms have been presented, and 
before the trial-and-buy program is sent to the user's 
computer. 

Once the TLAPM 134 in the server has confirmed 
that the client computer has a valid licensed copy or val- 
id trial copy of the Application Builder, it requests and 
receives the user's Application Builder Public Key (Step 
416). 

The TLAPM 134 then generates a Transmission 
Format version 1 86 of the selected try-and-buy Applica- 
tion Program (Step 41 8). The Transmission Format ver- 
sion 186 is a version of the Application Program gener- 
ated from the Server Format version 180 of the same 
Application Program that is suitable for transmission to 
the user's computer over nonsecure transmission links 
of the Network interconnectivity apparatus 106. The 
Transmission Format version 186 (a) is encrypted with 
the client computer's Application Builder Public Key, and 
(b) optionally includes a header that specifies trial li- 
cense expiration conditions, such as a trial license ex- 
piration date. The trial license expiration date may im- 
pose a hard use date limit, or may impose soft use lim- 
itations. Hard and soft use limitations are described in 
greater detail hereinafter. 

The client computer receives the encrypted Trans- 
mission Format version of the trial Application Program 
and stores it locally on the computer associated with the 
user (Step 420). The encrypted Transmission Format 
version is stored in encrypted form on the client compu- 
ter and is decrypted to generate a decoded version only 
when the application is being loaded for execution by 
the client computer. 

The trial Application Program 117 can only be re- 
ceived from the server and stored on the client computer 
in conjunction with execution of the Application Builder 
112 on the client computer. Once the Application Pro- 



gram is stored locally, the client computer can, at a us- 
er's request, initiate execution of the trial Application 
Program (Step 426). The Application Builder then veri- 
fies that the particular client computer has a valid license 
for that particular program and that the license to the 
trial Application Program has not expired. 

In one embodiment of the invention, this verification 
includes reading the Application Program file by the Ap- 
plication Builder (Step 428), and then comparing the Li- 
censee I D 1 84 in the file with a client I D (or a list of Client 
IDs) associated with the Application Builder that is li- 
censed to the client computer (Step 430). It also in- 
cludes comparing the License Termination Date 185 
with the current date (i.e., the computer's ambient date) 
and verifying that the termination date 185 is later than 
the ambient date stored on the client computer (Step 
432). The explicit examination of client ID may not al- 
ways be necessary since the presence of a validly li- 
censed Application Builder 112 may be sufficient secu- 
rity to prevent unauthorized use. The Client ID may be 
provided by the Application Builder 112 licensed to the 
client computer. Typically, possession of a valid Appli- 
cation Builder license may establish sufficient trust be- 
tween the Application Program provider and the users 
associated with the client computer. 

When the Application Builder has completed verifi- 
cation of the license, it decrypts the trial Application Pro- 
gram (Step 434) using the Application Builder's Private 
Key so that the program may be loaded for execution in 
the client computer CPU. As explained above, the 
stored, doubly encrypted control information is decrypt- 
ed using the Application Builder's private key 113 and 
the server's public key 187 and then the decrypted con- 
trol information is used to verify that user's rights to ex- 
ecute the trial application program. 

It may be seen that in the preferred embodiment, 
the trial Application Program 117 must be launched 
while running the Application Builder 112, because the 
Application Builder is needed for verification of the li- 
cense (Client ID matches Licensee ID and Termination 
date has not passed) and to decrypt the trial version of 
the application into executable code. All control informa- 
tion is verified by the Application Builder against the en- 
crypted copy of the control information, and verification 
fails if there is a mismatch. Further, the trial version of 
the application program may include further validation 
steps, such as checking the validity of the Application 
Builder's release number in accordance with predefined 
confidential validity criteria 

In this manner, the time during which the Application 
Program exists in a human readable form is limited in 
time (during execution of the Application Program) and 
in storage location (in processor memory). Limiting the 
time and physical location of unencrypted program code 
minimizes the opportunity for unauthorized copying of 
unencrypted code. Even if the encrypted program were 
to be copied, it cannot be used without a licensed Ap- 
plication Builder for that client computer, because the 
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matching Application Builder's private key, which is 
unique for each client computer on which it is installed, 
is required tor decryption. 

Restrictions and procedures similar to those de- 
scribed below for the Application Program may be ap- 
plied to requesting and receiving a trial version of the 
Application Builder 112 so that trial versions of the ap- 
plications may be obtained and executed. In the pre- 
ferred embodiment trial versions of the Application 
Builder 1 1 2 contain a time bomb that prevents operation 
of the program after a threshold date has passed. 

If the Application Builder in Steps 428-432 deter- 
mines that the Trial License to the Application Program 
has expired, the action taken by the Application Builder 
depends on which of two alternative expiration date pro- 
cedures are implemented: a hard expiration date proce- 
dure or a soft expiration date procedure. 

When a hard expiration date procedure is imple- 
mented, the Application Builder causes a message to 
be presented to the user on the client computer that the 
trial version of the Application Program has expired and 
that the Application Program previously made available 
for use to the user must now be licensed with a new 
license. Under certain conditions, the user may be given 
an opportunity to obtain another trial license; however, 
it is anticipated that if the user is offered more than one 
trial license on the same Application Program, the 
number of such trial licensees offered may be limited to 
minimize possible trial use abuse. For example it is ex- 
pected that where more than one trial license is offered 
for a single application, the total number of opportunities 
will be in the range of one to ten (1-10) and preferably 
in the range of one to three (1-3) trials. 

If a soft expiration date procedure is implemented, 
the user is warned that the trial version of the program 
has expired, and that while the user can continue to use 
the trial version for a short period of time, by a future 
termination date "year/month/day" it will be necessary 
for the user to obtain a licensed copy of the Application 
Program, or a new trial version, in order for the user to 
be able to continue using the Application Program. 

The soft expiration date version has the advantage 
that the provider is not put in the position of suddenly 
preventing use of its Application Program by the user, 
so that for example, the user may complete a task with 
ample warning. The future termination date given in the 
soft expiration date warning may either be a number of 
days in the future from the expiration date (e.g. 7 day 
grace period) or may be computed as a number of days 
forward from the ambient date on which the warning is 
given to the user. The later procedure has the advantage 
that the program will not expire without some warning to 
the user. Other soft termination date computation 
schemes may also be implemented. Particular termina- 
tion procedures may be provided to different classes of 
users or even to particular users on the basis of the client 
ID associated with the Application Builder. 



Claims 

1 . A method for managing usage of an application pro- 
gram by a user on a distributed computer system, 
5 said application program being initially stored as a 
stored version of said application program on a 
server coupled to said distributed computer system, 
said method comprising the steps of: 

jo recognizing a user request to access said ap- 

plication program; 

determining whether predetermined access 

conditions are satisfied; 

transmitting a transmission version of said ap- 

15 plication program to a computer associated 

with said user for receipt and storage only when 
said access conditions have been satisfied; 
verifying priorto execution of said program that 
said user is currently entitled to execute said 

20 received application program; and 

generating an executable version of said appli- 
cation program from said transmission version 
only if said verification is affirmative. 

25 2. The method in Claim 1 , wherein said predetermined 
conditions comprise ownership of a valid license to 
an application builder module which performs said 
verifying and generating steps. 

30 3. The method in Claims 1 or 2, wherein said deter- 
mining step includes: 

providing said user with an opportunity to sat- 
isfy and accept said predetermined but as yet 
35 unsatisfied access conditions; and 

recognizing explicit acceptance of said access 
conditions by said user. 

4. The method in Claim 3, including providing an op- 
40 portunity to accept a trial license for said application 

program. 

5. The method in Claim 2, wherein said transmission 
version of said application program comprises a file 

45 that is at least partially encrypted. 

6. The method in Claim 5, wherein said step of gener- 
ating an executable version of said application pro- 
gram from said transmission version comprises de- 

50 crypting said encrypted portion. 

7. The method in Claim 6, wherein 

said transmission version of said application 
program is encrypted with a public key associated 
55 with said user, said decryption is performed with a 
corresponding private key, and said user associat- 
ed public key and corresponding private key are 
generated by said application builder module. 
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8. A program usage management system for manag- 
ing usage of an application program by a user as- 
sociated with a client computer on a distributed 
computer network, said system comprising: 

a server coupled to said distributed computer 
system and having memory storage for storing 
said application program; 
a controller coupled to said client computer for 
recognizing a user request to access said ap- 
plication program and for determining whether 
predetermined program access conditions as- 
sociated with said application program are sat- 
isfied by said client computer; 
a program file formatter for generating a trans- 
mission version of said program file that incor- 
porates identification information associated 
with said client and a version of said application 
program that is at least partially encrypted, said 
program file formatter responsive to said con- 
troller to generate said transmission version on- 
ly when said access conditions are satisfied; 
a transmitter for transmitting said transmission 
version of said application program to said cli- 
ent computer associated with said user for re- 
ceipt and storage only when said access con- 
ditions have been satisfied; 
a license verifier for verifying prior to execution 
of said application program by said client com- 
puter that the user associated with said client 
computer is currently entitled to execute said 
application program; and 
a program decoder coupled to said client com- 
puter for generating a decoded machine exe- 
cutable version of said application program 
from said transmission version of said applica- 
tion program only if said license verifier verifies 
that the user associated with said client com- 
puter is currently entitled to execute said appli- 
cation program. 

9. The system in Claim 8, wherein said controller in- 
cludes an application builder program module in- 
stalled and executing on said client computer, said 
application builder program module includes said li- 
cense verifier and said program decoder. 

10. The system in Claim 9, wherein said predetermined 
program access conditions associated with said ap- 
plication program include receipt of an encryption 
key from a valid copy of said application builder pro- 
gram on said client computer. 

11. The system in Claim 9, wherein 

said transmission version of said application 
program is at least partially encrypted with a public 
key associated with said user, said program decod- 
er decodes said transmission version of said appli- 



cation program with a corresponding private key, 
and said user associated public key and corre- 
sponding private key are generated by said appli- 
cation builder module. 



15 



20 



25 



30 



35 



40 



45 



SO 



9 



EP 0 778 512 A2 



100 




Client 1£2 



Communications 
Interface 



102 



Client 



Operating System 



109 



Web Browser 



Application Builder 



Licensee IO 



Private/Public Key(s) 



Program Decoder Mod. 



License Handler Mod. 



Program Execution Mod, 



Application! -Trial Version 
(encrypted) 



Applicatfc>n2-Trial Version 
(encrypted) 



-110 
-111 

-112 
-103 
-113 

-114 
-115 
-116 

-117 



S^J Network Interconnectivity 
(Switches, etc) 




102 



Client 



104 



120 



CPU 



128 



Communications 
Interface 



4 



A 



122 Information Server 



RAM 



126 



odobbbbbb 
oagaaBaaar 

BBBBOBBOP 



BOX 



User Interface 



Operating System 



Secondary Memory (Disk)/" 



124 



Web Server Application and Web Pages 



Trial Licensing Application Program 



Encryption and Formatting Module 



Public & Private Keys 



Application Builder 



Application! -Trial Version 



Application2-Trial Version 



Application3-Trial Version 



■130 
132 
•134 

■135 
■137 
■136 
138 
140 
142 



FIGURE 1 



10 



EP 0 778 512 A2 



160 



163 < 



164 ( 



TRY AND BUY WEB SITE 
For Generation Information, Select: 



168, 



The Try & Buy Program p- 165 


Application 


I Licensing Terms 


Application 


Application Builder 


Applications 





166 
167 



To Download a Trial Version of any of the following 
programs, select that item here: 



169< 



Application 



Application I Application Builder 



170 



Applications 



FIGURE 2 



Trial Version of Application 180 
Stored in Server Format 



182< 



181 



Application ID 



Licensee ID 
(Blank or Dummy) 



License Termination Date 
(Blank or Dummy) 



Server Public Key 



App Pgm 1 documentation 



License terms and 
relicensing information 



Application Program 1 
(non-encrypted) 



FIGURE 3 



.183 
.184 

-185 

-187 
-188 

-189 



11 



EP 0 778 512 A2 



Trial Version of Application 1 86 
Stored in Transmission Format 
( encrypted) 

s 



Application ID 



Licensee ID 



License Termination Date 



Server Public Key 



App Pgm 1 documentation 



License terms and 
relicensing information 



Application Program 1 



FIGURE 4 



-183 
-184 

-185 

-187 
-188 

-189 



Trial Version of Application 1 86 
Stored in Transmission Format 
(Alternate Distributed Form) 



181 



181- 



181- 



Application ID 



Server Public Key 



App Pgm 1 documentation 



License terms and 
relicensing information 



Application Programl -Part A 
(encrypted) 



Licensee ID 



Application Programl -Part B 
(encrypted) 



License Termination Date 



Application Programl -Part C 



FIGURES 



12 



EP 0 778 512 A2 



Trial Version of Application 1 96 
in Execution Format 



182^ 



181 



Application ID (optional) 



Licensee ID 
(optional) 



License Termination Date 
(optional) 



Application Program 1 
(decoded & non-encrypted) 



FIGURE 6 



192 



Select an Application or an 
Application component to include in 
your application: 



193 <^ 



Application 1 



Application 



Applications 



Expiration Date of Selected 
Application or Component: 



194 



xx / yy / zzzz 



FIGURE 7 



13 



EP 0 778 512 A2 



300 



302 



304 



Monitor request for application 
program by client computer. 



306 



Has Client computer 
requested access to an application 
program on server? ^ 



308. 



Compare predetermined access requirements 
to privileges of requesting client 



N 



310 



Do client privileges 
satisfy application program access^ 
requirements? 



312 



314 



Generate and transmit transmission 
formatted version of application program 
to client computer for receipt by user. 



Deny Access 
to Selected 
Application 
Program. 



316 — ""Is client computeT 

currently entitled to execute 
received application program?^ 



N 



318^ 

Generate executable version of application 
program on client computer. 




FIGURE 8 



14 



EP 0 778 512 A2 



400 



9 



User installs application builder on user computer 



Application builder builds encryption key 



I 



User identifies/locates desired trial application 
program from available trial programs 



I 



User requests trial license from try-and-buy server 
(or Application Builder requests trial license for 
user in response to user selecting trial application 
program) 



i 



Try-and-buy server activates license application 
program on server 



Trial license application program in server 
confirms that client (user) computer has a 
licensed copy or trial copy of Application Builder. 



I 



If client (user) computer does not have licensed 
or trial copy of application builder, prompt client 
(user) to review licensing terms and request 
license to trial copy of Application Builder 



I 



Trial license application program in server 
requests and receives user computer's application 
builders encrypted security data (Application 
Builder public key) 



FIGURE 9A 



402 



404 



406 



408 



410 



412 



414 



416 



FIGURE 9A 



FIGURE 9B 



FIGURE 9 



15 



EP 0 778 512 A2 



9 

Trial license application program generates trial 
version of the requested application program (a) 
encrypted with the client computer's Application 
Builder public key, and (b) includes a file header 
that specifies a (hard or soft) trial license 
expiration data. 

♦ 

Client computer receives and stores encrypted 
trial application program in client storag e format 

I 

Client initiates execution of Application Builder 

Client computer receives and stores 
encrypted trial Application Builder program 

Client initiates execution of encrypted trial 
version of application program in conjunction 
with executing application builder 

f 

Application Builder reads application program 
header. 

♦ 

Application Builder compares expiration date in 
the header with the current date on clients 
computer. 

Application Builder verifies that license to trial 
version of application program has not expired 

Application Builder decrypts and decodes 
encrypted trial application program. 



FIGURE 9B 



16 



CO 

< 

CM 

T— 

U) 

CO 
h- 

o 

Q. 

LU 



(19) 



J 



Europaisches Patentamt 
European Patent Office 
Office europeen dee brevets 



II 



(12) 



(11) EP 0 778 512 A3 

EUROPEAN PATENT APPLICATION 



(88) Date of publication A3: 

20.12.2000 Bulletin 2000/51 

(43) Date of publication A2: 

11.06.1997 Bulletin 1997/24 

(21) Application number: 96308246.6 

(22) Date of filing: 14.11.1996 



(51) mt ci 7: G06F 1/00, H04L 29/06 



(84) 


Designated Contracting States: 


(72) Inventor: Rose, John R. 




DE FR GB IT NL 


San Jose, California 94120 (US) 


(30) 


Priority: 08.12.1995 US 569804 


(74) Representative: 






Cross, Rupert Edward Blount et al 


(71) 


Applicant: SUN MICROSYSTEMS, INC. 


BOULT WADE TEN N ANT, 




Mountain View, California 94043-1100 (US) 


Verulam Gardens 






70 Gray's Inn Road 






London WC1X8BT (GB) 



(54) System and method for managing try-and-buy usage of application programs 



(57) A system and method for managing the distri- 
bution of licensed application programs stored on a 
server over a distributed computer system maintains 
control over the program even after the program has 
been distributed to a client computer from a provider on 
an information server. Protection may include license 
expiration date verification, authorized user ID verifica- 
tion, and protection against decompilation and reverse 
engineering by maintaining the program in an encrypted 
form until verification of the expiration date and user 
identity are complete and the program is ready for de- 
coding, loading into the client computer CPU, and exe- 
cution. A user identifies a program for trial use by any 
conventional means such as by using a network brows- 



er on the World Wide Web. The server recognizes a user 
request to access the application program. The server 
may have an agent on the client computer for performing 
certain predetermined administrative tasks. This agent 
may take the form of an application builder program 
module, provided by the trial application provider, which 
is resident on the client computer. The server (including 
the agent) determines whether program access condi- 
tions are satisfied, and if satisfied transmits a version of 
the program to the client. The transmitted file includes 
an encrypted portion. The server and agent also verify 
that the user is currently entitled to execute the applica- 
tion program including that the trial license has not ex- 
pired at the time the user initiates execution, and gen- 
erates an executable version of the application program. 



Printed by Jouve, 75001 PARIS (FR) 



EP 0 778 512 A3 



3 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 96 30 8246 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document with indication, where appropriate, 
of relevant passages 



Relevant 

to claim 



CLASSIFICATION OF THE 
APPLICATION flnt.CL6> 



US 5 103 476 A (WAITE DAVID P ET AL) 
7 April 1992 (1992-04-07) 

* column 2, line 36 - line 57; figure 3 * 

* column 2, line 66 - column 3, line 8 * 

* column 3, line 24 - line 64 * 

* column 4, line 8 - line 48 * 



EP 0 665 486 A (AT & T CORP) 
2 August 1995 (1995-08-02) 
* abstract; figure 2 * 



G06F1/00 
H04L29/06 



2-6,8,9 

1,2,5,6, 
8,9 



TECHNICAL FIELDS 
SEARCHED <lnt.CU) 



G06F 
H04L 



The present search report has been drawn up for ail claims 



Place of Match 

THE HAGUE 



Dote of completion ol (he ceaicri 

20 October 2000 



Examiner 

Arbutlna, L 



CATEGORY OF CITED DOCUMENTS 

X ; particularly relevant II taken alone 

Y : particularly relevant If combined with another 

document of the same category 
A : technological background 
O : non-written disclosure 
P : Intermediate document 



T : tneory or pnncfcle underlying the Invention 
E : earlier patent document, but published on, or 

after the filing date 
O : document cited in the application 
L : document cited for other reasons 



& : member ol the same patent family, corresponding 
document 



2 



EP0 778 512 A3 



ANNEX TO THE EUROPEAN SEARCH REPORT 
ON EUROPEAN PATENT APPLICATION NO. 



EP 96 30 8246 



This annex lists the patent family members relating to the patent documents cited in the above-mentioned European search report. 
The members are as contained in the European Patent Office EDP file on 

The European Patent Office Is in no way liable for these particulars which are merely given for the purpose of Information. 

20-10-2000 



Patent document 




Publication 




Patent family 


Publication 


cited in search report 




date 




member(s) 


date 


US 5103476 


A 


07-04-1992 


AT 


171024 T 


15-09-1998 








CA 


2095723 A 


08-05-1992 








OE 


69130175 D 


15-10-1998 








DE 


69130175 T 


10-02-2000 








EP 


0556305 A 


25-08-1993 








JP 


7089345 B 


27-09-1995 








JP 


6501120 T 


27-01-1994 








WO 


9209160 A 


29-05-1992 








US 


5222134 A 


22-06-1993 


EP 0665486 


A 


02-08-1995 


US 


5509074 A 


16-04-1996 








CA 


2137065 A 


28-07-1995 








JP 


7239828 A 


12-09-1995 



§ 

2 

O 

£j For more details about this annex : see Official Journal of the European Patent Office, No. 12/62 



3 



